How Worried Should You Be About Dynamic IPs?

One of the oldest, most tried-and-true methods of defeating a DDoS attack is by blocking the IP addresses used to execute it. Unfortunately, criminals are acutely aware of that fact – and in response, they’ve begun launching their attacks through a completely different vector: Layer 7, the application layer. By using real IP addresses, they’re able to establish a three-way TCP handshake, bypassing both cookies and JavaScript.

Worse still, many of these attacks have grown surprisingly complex, implementing human like browsing behaviors, patterns, and timing. This means that the larger the attacks are, the more difficult they are to detect.  And IP-based defense systems cannot effectively tell the difference between these attacks and legitimate visitors – meaning that if they’re all you have in place, you might be a sitting duck.

But how likely are you to be targeted by a dynamic IP-based attack? And what measures can you take to defend yourself if you are? Answering those questions starts with an understanding of how these attacks are commonly executed.

How Are Hackers Abusing Dynamic IPs?

Generally speaking, attacks made using dynamic IPs require a large pool of IP addresses. Attackers can gain access to this pool in one of four different ways: either through a botnet, a list of SOCK proxies, certain VPN services, or some cloud services. By far, the most common of these is the botnet, but that doesn’t mean you should discount the others.

 

  • Botnets: Botnets are typically created through malware, and consist of a large number of infected ‘zombie’ systems – most users that are part of a botnet might not even realize that their computer is infected. Personal routers or modems are the easiest target, though with the Internet of Things the variety and range of infected devices is slated to sharply increase.
  • SOCK Proxies: Many amateur and hobbyist forums provide lists of SOCK proxies to their users, with new lists submitted every day. These forums often host a number of different attack tools and scripts that can abuse these lists to generate false traffic which is generally indiscernible from real traffic.
  • VPN Services: VPN services such as Hotspot Shield, TunnelBear, and CyberGhost offer a massive pool of IP addresses; over 100,000. In some cases, unscrupulous VPN hosts might ‘rent out’ their services to criminal agents to be used as botnets. Some advanced scripts may even make use of VPNs in the process of an attack.
  • Cloud Services: Cloud providers often provide a ‘free’ tier for developers and users seeking to run small servers and applications through their infrastructure. That’s good news for small businesses, but even better news for hackers, who can abuse this service for malicious purposes. Providers with insufficient security violations (or customers with weak credentials) are easy prey for hackers, who can use them to generate massive quantities of fraudulent accounts (and traffic).

 

What Can You Do About It?

Simple: look at your defenses. Traditional security cannot adequately mitigate dynamic IP-based attacks. If you’re to safeguard your business against them, you need a system with advanced behavioral-based detection mechanisms which can identify headless browsers, malicious bots, and other forms of attack.

By incorporating a system that can identify and weed out bad actors in real-time, you’ll be well-equipped to protect your business, and Dynamic IP-based attacks will be nothing to worry about.

That isn’t to say there aren’t other threats you need to mitigate, however. For a more complete picture of the threat landscape facing your enterprise, click here to download the Radware Global Application & Network Security Report.